Privacy policy
Effective from: 2026-04-26
Note: this English version is provided for convenience. In any conflict the Polish version prevails.
§1. Data controller
The controller of your personal data is:
VILLEMO KATARZYNA SOŁODUCHA-POCHODAJ Tax ID (NIP): 6131535271 REGON: 54390582900000
Address: ul. Olbrachtowska 2/9, 54-063 Wrocław, Poland GDPR contact: kontakt@doxieflow.com
No Data Protection Officer has been appointed. For all GDPR matters please contact the controller directly at the address above.
§2. What data we process
Depending on your interaction with our shop we process the following categories of data:
- Order: name, delivery address, email, phone, optional Tax ID (NIP, for business invoicing), payment data (sent directly to Stripe).
- Contact: email, message content, any data you voluntarily include.
- Complaint / withdrawal: order number, refund details (bank account number), description of the situation.
§3. Purposes and legal bases of processing
| Purpose | Legal basis | Retention |
|---|---|---|
| Order fulfilment (sales contract) | Art. 6(1)(b) GDPR (contract) | 6 years (statute of limitations) |
| Issuing receipts, accounting | Art. 6(1)(c) GDPR (legal obligation) | 5 years from end of fiscal year |
| Handling complaints / withdrawals | Art. 6(1)(c) GDPR (legal obligation under PL Consumer Rights Act) | 6 years |
| Reply to contact enquiry | Art. 6(1)(f) GDPR (legitimate interest) | up to 2 years from last contact |
| Defence against claims | Art. 6(1)(f) GDPR (legitimate interest) | until the limitation period expires |
§4. Recipients of data (processors)
Your data is shared with third parties only to the extent necessary to fulfil the purposes above. Each processor operates under a data processing agreement:
- Stripe Payments Europe Ltd (Ireland) - payment processing and card data. Address: 1 Grand Canal Street Lower, Dublin, Ireland. Policy: stripe.com/privacy.
- Resend Inc. (USA) - transactional email delivery (order confirmations). SCC. Policy: resend.com/legal/privacy-policy.
- Cloudflare Inc. (USA / EU) - website hosting, CDN, DDoS protection, DNS. Policy: cloudflare.com/privacypolicy.
- Courier company - delivery details (name, address, phone). The specific carrier is identified in the shipment confirmation.
§5. International data transfers
Some of our processors (Resend, Cloudflare) are based in the United States. Transfers to the US are made on the basis of:
- the European Commission adequacy decision regarding the EU-US Data Privacy Framework (where the processor is certified), or
- Standard Contractual Clauses (SCC).
§6. Your rights
Under GDPR you have the following rights:
- Access - you may request a copy of your data processed by the controller.
- Rectification - you may correct inaccurate or complete incomplete data.
- Erasure (“right to be forgotten”) - you may request deletion of data no longer needed for the purposes for which it was collected (except data whose retention is required by law, e.g. accounting).
- Restriction of processing - you may request a temporary halt of processing.
- Data portability - you may receive your data in a structured format (JSON / CSV).
- Objection - to processing based on legitimate interest.
- Complaint to PUODO - you may file a complaint with the President of the Personal Data Protection Office (uodo.gov.pl).
In any case write to us at kontakt@doxieflow.com - we’ll respond within 30 days.
§7. Cookies and similar technologies
- The shop uses localStorage (browser storage) to remember cart contents. This data is not sent to the server and is necessary for the shop to function - it does not require consent.
- Stripe Checkout (on its own stripe.com domain) sets its own session and analytics cookies for payment processing and fraud detection - handled under Stripe’s policy.
- Analytics and marketing cookies (if introduced in the future) require your consent and will be handled by a cookie consent banner.
§8. Data security
We apply appropriate technical and organisational measures to protect your data:
- HTTPS encrypted connection across the entire site,
- we do not store payment card data (handled exclusively by Stripe, a certified PCI DSS Level 1 provider),
- limited access to data on the Seller’s side,
- regular configuration backups.
§9. Changes to this Policy
We reserve the right to amend this Privacy Policy. Material changes will be communicated by email (where we have your address). The current version is effective from the date stated at the top of this document.